MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 755aeb3fe63418f2550fc79b3b0007deb7dd4737c641c773c1f3625f3adf81eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 755aeb3fe63418f2550fc79b3b0007deb7dd4737c641c773c1f3625f3adf81eb
SHA3-384 hash: e1687edf870c409577dd415287510a097abfd9607d58942ffd5570e496c733c9d239657217b208b3594d2e7f1bb83be0
SHA1 hash: fd411557be7f817d0373a6406a69f4482484ac48
MD5 hash: 1ff78a97390d0f880a05b24bef9cefda
humanhash: seventeen-two-cold-magnesium
File name:daily forex_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:810'496 bytes
First seen:2020-07-08 16:52:31 UTC
Last seen:2020-07-08 17:58:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:owFr5U+YpqjzEsj5JoISEXp7G+g1YmNsFH3OKABVDoNOq3bS9H5:owFzYpknjI1iFngLNkO3Byd
Threatray 10'618 similar samples on MalwareBazaar
TLSH F305710CBB4469F2DD3D18B549890738162094A703A0FADB7FDE47E9A31D6E7694FB80
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: web2-reiner.itecnis.com
Sending IP: 186.148.232.48
From: Oliver Flynn <O.flynn@nityo.com>
Subject: DAILY FOREX OUTLOOK
Attachment: daily forex_pdf.gz (contains "daily forex_pdf.exe")

AgentTesla SMTP exfil server:
mail.flood-protection.org:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/23288/
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.16663.27385.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching a service
Creating a file
Stealing user critical data
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/755aeb3fe63418f2550fc79b3b0007deb7dd4737c641c773c1f3625f3adf81eb/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-08 16:54:07 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ovnowp7ggqmpevipy6ntwaah32352rzxyza4o46b6nrf6ow7qhvq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
34389c63bfec9402befc3afc4d92259a43056b33d6e4b70054d50ba38d258981
AgentTesla
5982c72d72560082aeae32c2c6dee7c21880104bca850368f323cfbdd521bfe7
AgentTesla
8f700076c9355cc2a07b8dcc4136d1364e987eebc063fb2e2b94e9b06989dea5
AgentTesla
9a461345aa76acd802aebd2426775b952f411c0c1def2ae141f23fe4a16b5e7c
AgentTesla
a348251ca8856d6984701e79b0946e27410542a8d6769bc0d902239ff41efc9f
AgentTesla
ab805d4c1f86746cea0dea2ea274356015590fff0a7ee78cd0c1d26b98d1762d
AgentTesla
b0cda517ace59b7d9be1d0dc49c2d85ff42fb780d86ee2623a206663486ed7c6
AgentTesla
bc969496b9340a4fc425080312aef077c477680d6370370dc75edad1493837d3
AgentTesla
c890bc2e899bdb9c2a7cbe9ab52b852c5ea6832e44615f2afc66ab47925866d2
AgentTesla
dcbfc03cfe9523c25ab335f599cebcbbe8f2439ef7ab973aa9ec0330e4e7d11f
AgentTesla
+ 10'608 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200708-t8vazsnace/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

9ef27f5078d1fc9b231722e758ce6f23

AgentTesla

Executable exe 755aeb3fe63418f2550fc79b3b0007deb7dd4737c641c773c1f3625f3adf81eb

(this sample)

  
Dropped by
MD5 9ef27f5078d1fc9b231722e758ce6f23
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/23288/

Comments